Sign up to receive free email alerts when patent applications with chosen keywords are publishedSIGN UP

Abstract:

There is provided an information processing apparatus including a key
selection section configured to select one out of a plurality of
different secret keys, in a public key authentication scheme or a digital
signature scheme in which each of the plurality of secret keys exists for
one public key registered in a verifier, and a process execution section
configured to execute, by using the secret key selected by the key
selection section, an authentication process with the verifier by the
public key authentication scheme or a digital signature generation
process to the verifier by the digital signature scheme.

Claims:

1. An information processing apparatus comprising: a key selection
section configured to select one out of a plurality of different secret
keys, in a public key authentication scheme or a digital signature scheme
in which each of the plurality of secret keys exists for one public key
registered in a verifier; and a process execution section configured to
execute, by using the secret key selected by the key selection section,
an authentication process with the verifier by the public key
authentication scheme or a digital signature generation process to the
verifier by the digital signature scheme.

2. The information processing apparatus according to claim 1, wherein the
key selection section is configured to select one out of the plurality of
secret keys at random when performing the authentication process with the
verifier or the digital signature generation process.

3. The information processing apparatus according to claim 2, wherein the
key selection section is configured to select one out of the plurality of
secret keys at random for each authentication process or digital
signature generation process, in a case where the process execution
section completes a one-time authentication by repeating the
authentication process with the verifier, or in a case where the process
execution section completes a generation of a one-time digital signature
by repeating the digital signature generation process.

4. The information processing apparatus according to claim 1, wherein the
process execution section is configured to register, in the verifier, a
first hash value obtained by applying a hash function to a first secret
key within the plurality of secret keys.

5. The information processing apparatus according to claim 4, wherein the
process execution section is configured to apply the hash function to a
secret key used when performing the authentication process with the
verifier by the public key authentication scheme or the digital signature
generation process to the verifier by the digital signature scheme, and
transmit, to the verifier, a second hash value to be compared with the
first hash value.

6. The information processing apparatus according to claim 5, further
comprising: a comparison function section configured to compare the first
hash value and the second hash value when the verifier performs a
verification process using the public key authentication scheme or the
digital signature scheme, and execute a prescribed notification process
in accordance with a result of the comparison.

7. The information processing apparatus according to claim 1, wherein the
plurality of secret keys are registered in respective different
apparatuses, and wherein the key selection section is configured to
select the registered secret keys.

8. The information processing apparatus according to claim 1, wherein the
public key authentication scheme or the digital signature scheme is a
public key authentication scheme which sets (s of Kn) to a secret
key, and sets a multi-order polynomial fi(x1, . . . , xn)
(i=1 to m) on a ring K and yi=fi(s) to a public key.

9. An information processing method comprising: selecting one out of a
plurality of different secret keys, in a public key authentication scheme
or a digital signature scheme in which each of the plurality of secret
keys exists for one public key registered in a verifier; and executing,
by using the secret key selected by the key selection step, an
authentication process with the verifier by the public key authentication
scheme or a digital signature generation process to the verifier by the
digital signature scheme.

10. A non-transitory computer-readable medium including a computer
program, which when executed by a computer, causes the computer to:
select one out of a plurality of different secret keys, in a public key
authentication scheme or a digital signature scheme in which each of the
plurality of secret keys exists for one public key registered in a
verifier; and execute, by using the secret key selected by the key
selection step, an authentication process with the verifier by the public
key authentication scheme or a digital signature generation process to
the verifier by the digital signature scheme.

11. An information processing apparatus comprising: a comparison
processing section configured to acquire, in a public key authentication
scheme or an digital signature scheme in which a plurality of different
secret keys exist for one public key, a first hash value obtained by a
prover applying a hash function to a first secret key within the
plurality of secret keys, and a second hash value obtained by the prover
applying a hash function to a secret key used when performing an
authentication process with a verifier or a digital signature generation
process to the verifier by the digital signature scheme; compare the
first hash value and the second hash value when performing a verification
process using the public key authentication scheme or the digital
signature scheme; and execute a prescribed notification process to the
prover in accordance with a result of the comparison.

Description:

BACKGROUND

[0001] The present disclosure relates to an information processing
apparatus, an information processing method, and a non-transitory
computer-readable medium.

[0002] With a rapid development of information processing technology and
communication technology, digitisation of documents, official and
private, is rapidly advancing. Accordingly, many individuals and
companies are greatly interested in security management of electronic
documents. With the increase in the interest, security against tampering,
such as eavesdropping and forgery of electronic documents, has come to be
hotly debated in many fields. The security against eavesdropping on an
electronic document is ensured by encrypting the electronic document, for
example. Also, the security against forgery of an electronic document is
ensured by using a digital signature, for example. However, encryption
and the digital signature have to be sufficiently tamper-resistant.

[0003] In general, public key encryption technology is widely used for
personal verification. A public key encryption scheme is an
authentication scheme where some person (prover) convinces another person
(verifier) that she is the prover herself by using a public key and a
secret key.

[0004] In this public key encryption technology, leakage of the secret key
is an event which should be avoided the most. Since a secret key is
necessary for authentication, signing or the like for personal
verification, it is desirable that the prover can access the secret key
as necessary. For example, it may be required for the prover to store a
secret key such as a password, to carry a secret key written down on
paper, or to carry a secret key stored in a device such as an IC card.
For example, JP 2011-87284A discloses technology of an authentication
system by an IC card in which a secret key is included.

SUMMARY

[0005] In public key encryption technology, since a secret key is not as
easy to remember as a password, it is not easy for the prover to memorize
the secret key. Further, if the secret key is written down on paper,
there is a high risk that the contents of this secret key will be leaked
to another person due to peaking or secret photography by the other
person. In the public key encryption technology of the related art, since
authentication is performed by using one type of secret key corresponding
to one public key, if the secret key is leaked, it is not known whether
the secret key was that used by the person herself or whether spoofing
has been executed by another person. If the secret key is leaked,
spoofing after the time of key leakage will not be able to be prevented
unless spoofing is detected by some type of method.

[0006] On the other hand, in the case where a secret key is stored in a
device such as an IC card, spoofing by another person will be difficult
unless this IC card is lost. In the case where the IC card is lost, if
the use of the secret key stored on the IC card is suspended, spoofing by
another person can be prevented, and expansion of the damage can be
suppressed. However, an analysis method such as a side-channel attack has
been proposed for a device such as an IC card, and if countermeasures are
not applied for this side-channel attack, the secret key may be leaked.

[0007] Further, in the case where authentication by dispersion to a
plurality of servers, signatures by a plurality of users, or the like is
to be implemented, the rights of signature generation or authentication
can be shared for a plurality of people, and group signature technology
has been proposed, for example, as technology for sharing the rights of
signature generation for a plurality of people. However, this group
signature technology refers only to some specific signature schemes, for
specialized applications which share the rights of signature generation
for a plurality of people, and the above described case is not able to be
achieved in an arbitrary signature scheme or authentication scheme.

[0008] Simply, the sharing of a same secret key by a plurality of users
can be considered as another method for sharing the rights of signature
generation or authentication for a plurality of people. However, in this
method which shares a secret key, other users may suffer damage due to a
leakage of the secret key from the management of the key by a neglectful
user. Further, since the same secret key is shared by a plurality of
users, a situation can also be considered in which specifying the user
who leaked the secret key will become difficult, even if trying to find
the user who leaked the secret key from the leaked secret key.

[0009] Accordingly, the present disclosure is made by considering such a
situation. According to an embodiment of the present disclosure, there is
provided a new and improved information processing apparatus, information
processing method, and non-transitory computer-readable medium which
implements a detection method of key leakage, a prevention method of key
leakage, and a suppression method of key leakage, by using a plurality of
secret keys for a same public key.

[0010] According to an embodiment of the present disclosure, there is
provided an information processing apparatus including a key selection
section configured to select one out of a plurality of different secret
keys, in a public key authentication scheme or a digital signature scheme
in which each of the plurality of secret keys exists for one public key
registered in a verifier, and a process execution section configured to
execute, by using the secret key selected by the key selection section,
an authentication process with the verifier by the public key
authentication scheme or a digital signature generation process to the
verifier by the digital signature scheme.

[0011] According to an embodiment of the present disclosure, there is
provided an information processing method including selecting one out of
a plurality of different secret keys, in a public key authentication
scheme or a digital signature scheme in which each of the plurality of
secret keys exists for one public key registered in a verifier, and
executing, by using the secret key selected by the key selection step, an
authentication process with the verifier by the public key authentication
scheme or a digital signature generation process to the verifier by the
digital signature scheme.

[0012] According to an embodiment of the present disclosure, there is
provided a non-transitory computer-readable medium including a computer
program, which when executed by a computer, causes the computer to select
one out of a plurality of different secret keys, in a public key
authentication scheme or a digital signature scheme in which each of the
plurality of secret keys exists for one public key registered in a
verifier, and execute, by using the secret key selected by the key
selection step, an authentication process with the verifier by the public
key authentication scheme or a digital signature generation process to
the verifier by the digital signature scheme.

[0013] According to an embodiment of the present disclosure, there is
provided an information processing apparatus including a comparison
processing section configured to acquire, in a public key authentication
scheme or an digital signature scheme in which a plurality of different
secret keys exist for one public key, a first hash value obtained by a
prover applying a hash function to a first secret key within the
plurality of secret keys, and a second hash value obtained by the prover
applying a hash function to a secret key used when performing an
authentication process with a verifier or a digital signature generation
process to the verifier by the digital signature scheme; compare the
first hash value and the second hash value when performing a verification
process using the public key authentication scheme or the digital
signature scheme; and execute a prescribed notification process to the
prover in accordance with a result of the comparison.

[0014] According to the present disclosure such as described above, a new
and improved information processing apparatus, information processing
method, and non-transitory computer-readable medium can be provided which
implements a detection method of key leakage, a prevention method of key
leakage, and a suppression method of key leakage, by using a plurality of
secret keys for a same public key.

BRIEF DESCRIPTION OF THE DRAWINGS

[0015]FIG. 1 is an explanatory view illustrating a configuration of an
algorithm according to a public key authentication scheme;

[0016]FIG. 2 is an explanatory view illustrating a configuration of an
algorithm according to a digital signature scheme;

[0017]FIG. 3 is an explanatory view illustrating a configuration of an
algorithm according to an n-pass public key authentication scheme;

[0018]FIG. 4 is an explanatory view illustrating an overview of an
authentication process between an authentication processing device 100a,
in which a secret key is stored, and a verification processing device
200a which executes a verification process;

[0019]FIG. 5 is a flow chart which shows an authentication process
between an authentication processing device 100a, in which a secret key
is stored, and a verification processing device 200a which executes a
verification process;

[0020]FIG. 6A is an explanatory view which shows an example of a
differential waveform of an average waveform;

[0021]FIG. 6B is an explanatory diagram which shows an example of a
differential waveform of an average waveform;

[0022]FIG. 7 is a flow chart which shows the operations of a first
embodiment of the present disclosure;

[0023]FIG. 8 is an explanatory view which shows an overview of an
authentication process between an authentication processing device 100b,
in which a secret key is stored, and a verification processing device
200b which executes a verification process;

[0024] FIG. 9 is a flow chart which shows an authentication process
between an authentication processing device 100b, in which a secret key
is stored, and a verification processing device 200b which executes a
verification process;

[0025] FIG. 10 is a flow chart which shows the operations of a second
embodiment of the present disclosure;

[0026] FIG. 11 is an explanatory view which shows the concept of an
authentication system which provides a secret key x to each different
user, by a key generator generating a shared secret key x;

[0027]FIG. 12 is an explanatory view which shows the concept of an
authentication system according to a third embodiment of the present
disclosure;

[0028] FIG. 13 is an explanatory view which shows the concept of an
authentication system according to a third embodiment of the present
disclosure;

[0029]FIG. 14 is a flow chart which shows the operations of a modified
example of the first embodiment of the present disclosure;

[0030]FIG. 15 is an explanatory view illustrating an efficient algorithm
according to a 3-pass public key authentication scheme; and

[0031]FIG. 16 is an explanatory view illustrating a hardware
configuration example of an information processing apparatus capable of
executing the algorithms according to each embodiment of the present
disclosure.

DETAILED DESCRIPTION OF THE EMBODIMENT(S)

[0032] Hereinafter, preferred embodiments of the present disclosure will
be described in detail with reference to the appended drawings. Note
that, in this specification and the appended drawings, structural
elements that have substantially the same function and structure are
denoted with the same reference numerals, and repeated explanation of
these structural elements is omitted.

[0033] The description will be given in the following order.

[0034] <1. Description of a public key authentication scheme and a
secret key>

[0035] <2. The first embodiment of the present disclosure>

[0036] [Overview]

[0037] [Operations]

[0038] <3. The second embodiment of the present disclosure>

[0039] [Overview]

[0040] [Operations]

[0041] <4. The third embodiment of the present disclosure>

[0042] [Overview]

[0043] <5. Modified examples>

[0044] <6. Hardware configuration>

[0045] <7. Conclusion>

1. DESCRIPTION OF A PUBLIC KEY AUTHENTICATION SCHEME AND A SECRET KEY

[0046] Prior to describing suitable embodiments of the present disclosure,
first an overview of a public key authentication scheme and a digital
signature scheme will be described, and to continue, a secret key used by
each of the later described embodiments of the present embodiment will be
described.

[0047] A public key authentication scheme is an authentication scheme
where a person (prover) convinces another person (verifier) that she is
the prover herself by using a public key pk and a secret key sk. For
example, a public key pkA of a prover A is made known to the
verifier. On the other hand, a secret key skA of the prover A is
secretly managed by the prover. According to the public key
authentication scheme, a person who knows the secret key skA
corresponding to the public key pkA is regarded as the prover A
herself.

[0048] In the case the prover A attempts to prove to a verifier B that she
is the prover herself, the prover A can perform an interactive protocol
with the verifier B and prove that she knows the secret key skA
corresponding to the public key pkA. Then, in the case it is proved
by the verifier B, by the interactive protocol, that the prover A knows
the secret key skA, the legitimacy of the prover A (that she is the
prover herself) is proved.

[0049] Additionally, to ensure security of the public key authentication
scheme, two conditions set forth below are to be satisfied.

[0050] The first condition is to lower as much as possible the probability
of falsification being established, at the time the interactive protocol
is performed, by a falsifier not having the secret key sk. That this
first condition is satisfied is called "soundness." In other words, with
a sound interactive protocol, falsification is not established by a
falsifier not having the secret key sk with a non-negligible probability.
The second condition is that, even if the interactive protocol is
performed, information on the secret key skA of the prover A is not
at all leaked to the verifier B. That this second condition is satisfied
is called "zero knowledge."

[0051] The security of the public key authentication scheme is ensured by
using an interactive protocol having the soundness and zero knowledge as
described above.

[0052] In a model of the public key authentication scheme, two entities,
namely a prover and a verifier, are present, as shown in FIG. 1. The
prover generates a pair of public key pk and secret key sk unique to the
prover by using a key generation algorithm Gen. Then, the prover performs
an interactive protocol with the verifier by using the pair of secret key
sk and public key pk generated by using the key generation algorithm Gen.
At this time, the prover performs the interactive protocol by using a
prover algorithm P. As described above, in the interactive protocol, the
prover proves to the verifier, by using the prover algorithm P, that she
possesses the secret key sk.

[0053] On the other hand, the verifier performs the interactive protocol
by using a verifier algorithm V, and verifies whether or not the prover
possesses the secret key corresponding to the public key that the prover
has published. That is, the verifier is an entity that verifies whether
or not a prover possesses a secret key corresponding to a public key. As
described, a model of the public key authentication scheme is configured
from two entities, namely the prover and the verifier, and three
algorithms, namely the key generation algorithm Gen, the prover algorithm
P and the verifier algorithm V.

[0054] Additionally, expressions "prover" and "verifier" are used in the
following description, but these expressions strictly mean entities.
Therefore, the subject that performs the key generation algorithm Gen and
the prover algorithm P is an information processing apparatus
corresponding to the entity "prover". Similarly, the subject that
performs the verifier algorithm V is an information processing apparatus.

(Key Generation Algorithm Gen)

[0055] The key generation algorithm Gen is used by a prover. The key
generation algorithm Gen is an algorithm for generating a pair of public
key pk and secret key sk unique to the prover. The public key pk
generated by the key generation algorithm Gen is published. Furthermore,
the published public key pk is used by the verifier. On the other hand,
the secret key sk generated by the key generation algorithm Gen is
secretly managed by the prover. The secret key sk that is secretly
managed is used to prove to the verifier of possession of the secret key
sk corresponding to the public key pk. Formally, the key generation
algorithm Gen is represented as formula (1) below as an algorithm that
takes security parameter 1.sup.λ (λ is an integer of 0 or
more) as an input and outputs the secret key sk and the public key pk.

(sk,pk)Gen(1.sup.λ) (1)

(Prover Algorithm P)

[0056] The prover algorithm P is used by a prover. The prover algorithm P
is an algorithm for proving possession of the secret key sk corresponding
to the public key pk. The prover algorithm P is defined as an algorithm
that takes the public key pk and the secret key sk of a prover as inputs
and performs the interactive protocol with a verifier.

(Verifier Algorithm V)

[0057] The verifier algorithm V is used by a verifier. The verifier
algorithm V is an algorithm for verifying, in the interactive protocol,
whether or not a prover possesses the secret key sk corresponding to the
public key pk. The verifier algorithm V is defined as an algorithm that
takes the public key pk of a prover as an input, and that outputs 0 or 1
(1 bit) after performing the interactive protocol with the prover.
Moreover, in the case of output 0, the prover is assumed to be
illegitimate, and in the case of output 1, the prover is assumed to be
legitimate. Formally, the verifier algorithm V is represented as formula
(2) below.

0/1V(pk) (2)

[0058] As described above, the public key authentication scheme has to
satisfy two conditions, i.e. soundness and zero knowledge, to ensure
security. However, in order to make a prover prove that she possesses the
secret key sk, it is necessary that the prover perform a procedure
dependent on the secret key sk, notify the verifier of the result and
make the verifier perform verification based on the notified contents.
Execution of the procedure dependent on the secret key sk is necessary to
guarantee the soundness. On the other hand, it is necessary that
information on the secret key sk is not at all leaked to the verifier
even when the result of the procedure is notified to the verifier.
Accordingly, it is necessary that the key generation algorithm Gen, the
prover algorithm P, and the verifier algorithm V are designed so as to
satisfy these terms.

[0059] Next, an overview of the algorithm of a digital signature scheme
will be provided with reference to FIG. 2. FIG. 2 is an explanatory view
illustrating an overview the algorithm of a digital signature scheme.

[0060] In contrast to paper documents, it is difficult to put a stamp or
affix a signature to digitized data. Thus, to prove the creator of
digitized data, an electronic mechanism achieving an effect similar to
putting a stamp or affixing a signature is necessary. The mechanism is
the digital signature. The digital signature is a mechanism in which
signature data known only to the creator of data is provided to a
recipient by associating with the data and the signature data is verified
by the recipient.

(Model)

[0061] In a model of the digital signature scheme, as shown in FIG. 2, two
entities called a signer and a verifier exist. Then, the model of the
digital signature scheme includes three algorithms of the key generation
algorithm Gen, a signature generation algorithm Sig, and a signature
verification algorithm Ver.

[0062] The signer generates a pair of a signature key sk and a
verification key pk unique to the signer by using the key generation
algorithm Gen. The signer also generates a digital signature σ to
be attached to a document M by using the signature generation algorithm
Sig. That is, the signer is an entity that attaches a digital signature
to the document M. On the other hand, the verifier verifies the digital
signature σ attached to the document M by using the signature
verification algorithm Ver. That is, the verifier is an entity that
verifies the digital signature σ to check whether the creator of
the document M is the signer.

[0063] In the description that follows, the expressions of "signer" and
"verifier" are used and these expressions mean entities in a strict
sense. Therefore, the main body executing the key generation algorithm
Gen and the signature generation algorithm Sig is an information
processing apparatus corresponding to the entity of the "signer".
Similarly, the main body executing the signature verification algorithm
Ver is an information processing apparatus. The hardware configuration of
these information processing apparatuses is, for example, as shown in
FIG. 38. That is, the key generation algorithm Gen, the signature
generation algorithm Sig, and the signature verification algorithm Ver
are executed by the CPU 902 or the like based on a program recorded in
the ROM 904, the RAM 906, the storage unit 920, the removable recording
medium 928 or the like.

(Key Generation Algorithm Gen)

[0064] The key generation algorithm Gen is used by the signer. The key
generation algorithm Gen is an algorithm that generates a pair of the
signature key sk and the verification key pk unique to the signer. The
verification key pk generated by the key generation algorithm Gen is made
public. On the other hand, the signature key sk generated by the key
generation algorithm Gen is managed in secret by the signer. Then, the
signature key sk is used for the generation of the digital signature
σ to be attached to the document M. For example, the key generation
algorithm Gen takes a security parameter 1.sup.λ (λ is an
integer equal to 0 or greater) as input and outputs the signature key sk
and the verification key pk. In this case, the key generation algorithm
Gen can be expressed formally like the following formula (3):

(sk,pk)Gen(1.sup.λ) (3)

(Signature Generation Algorithm Sig)

[0065] The signature generation algorithm Sig is used by the signer. The
signature generation algorithm Sig is an algorithm that generates the
digital signature a to be attached to the document M. The signature
generation algorithm Sig is an algorithm that takes the signature key sk
and the document M as input and outputs the digital signature σ.
The signature generation algorithm Sig can formally be expressed like the
following formula (4):

σSig(sk,M) (4)

(Signature Verification Algorithm Ver)

[0066] The signature verification algorithm Ver is used by the verifier.
The signature verification algorithm Ver is an algorithm to verify
whether the digital signature σ is a valid digital signature to the
document M. The signature verification algorithm Ver is an algorithm that
takes the verification key pk of the signer, the document M, and the
digital signature σ as input and outputs 0 or 1 (1 bit). The
signature verification algorithm Ver can formally be expressed like the
following formula (5): The verifier judges that the digital signature
σ is invalid if the signature verification algorithm Ver outputs 0
(the verification key pk rejects the document M and the digital signature
σ) and judges that the digital signature σ is valid if the
signature verification algorithm Ver outputs 1 (the verification key pk
accepts the document M and the digital signature σ).

0/1Ver(pk,M,σ) (5)

(n-Pass Public Key Authentication Scheme)

[0067] Next, an n-pass public key authentication scheme will be described
with reference to FIG. 3. FIG. 3 is an explanatory view illustrating an
n-pass public key authentication scheme.

[0068] The public key authentication scheme is, as described above, an
authentication scheme that proves to the verifier that the prover holds
the secret key sk corresponding to the public key pk during interactive
protocol. Moreover, it is necessary for the interactive protocol to
satisfy two conditions of soundness and zero knowledge. Thus, as shown in
FIG. 3, the prover and the verifier exchange information n times while
each performing respective processing.

[0069] In the n-pass public key authentication scheme, processing (process
#1) is performed by the prover by using the prover algorithm P and
information T1 is transmitted to the verifier. Next, processing
(process #2) is performed by the verifier by using the verifier algorithm
V and information T2 is transmitted to the prover. Further,
processing is performed and information Tk is transmitted
sequentially for k=3 to n before processing (process #n+1) is performed
lastly. The scheme by which information is transmitted and received n
times as described above is called the "n-pass" public key authentication
scheme.

[0070] In the foregoing, the n-pass public key authentication scheme has
been described.

[0071] As described above, there are public key authentication schemes and
digital signature schemes, for example, disclosed in JP 2012-98690A,
which take a basis for security from the difficulty in solving
multi-order multivariate simultaneous equations, as satisfying the
requirements when designing the key generation algorithm Gen, the prover
algorithm P, and the verifier algorithm V. A function used by JP
2012-98690A is a function constituted by an n variable quadratic
polynomial in m lines (m and n are each integers of 2 or more), and by
using this function, a public key authentication scheme such as that of
JP 2012-98690A can generate a plurality of secret keys from one public
key. The function constituted by an n variable multi-order polynomial in
m lines used by JP 2012-98690A is called an MQ (Multivariate Quadratic)
function.

[0072] First, a key generation algorithm of the public key authentication
scheme by JP 2012-98690A will be described. Here, the case will be
considered where a set of quadratic polynomials (f1(x), . . . ,
fm(x)) are used as one part of the public key pk. However, the
quadratic polynomial f1(x) is expressed such as in the following
formula (6). Further, a vector (x1, . . . , xn) is represented
as x, and the set of quadratic polynomials (f1(x), . . . ,
fm(x)) is represented as a multivariable polynomial F(x).

[0073] Further, the set of quadratic polynomials (f1(x), . . . ,
fm(x)) can be expressed such as in the following formula (7).
Further, A1, . . . , Am are n×n matrices. In addition,
b1, . . . , bm are each an n×1 vector.

[0074] When using this expression, the multivariable polynomial F can be
expressed such as in the following formulas (8) and (9). The
establishment of this expression can be easily ascertained from the
following formula (10).

[0075] At the time when dividing into such a first portion, in which
F(x+y) depends on x, a second portion, in which F(x+y) depends on y, and
a third portion, in which F(x+y) depends on both x and y, a term G(x,y)
corresponding to the third portion becomes bilinear for x and y.
Hereinafter, there will be cases where the item G(x,y) is called a
bilinear item. When using this property, it becomes possible to build an
efficient algorithm.

[0076] For example, the multivariable polynomial F1(x), which is used
for a mask of a multivariable polynomial F(x+r), is represented as
F1(x)=G(x,t0)+e0 by using vectors (t0 of Kn) and
(e0 of Km). In this case, the sum of the multivariable
polynomials F(x+r0) and F1(x) is expressed such as in the
following formula (11). Here, if t1=r0+t0 and
e1=F(r0)+e0, the multivariable polynomial
F2(x)=F(x+r0)+F1(x) can be expressed by the vectors
(t1 of Kn) and (e1 of Km). Therefore, if setting
F1(x)=G(x,t0)+e0, F1 and F2 can be expressed by
using a vector on Kn and a vector on Km, and it becomes
possible for an efficient algorithm to be expressed with a reduced data
size necessary for communication.

[0077] Note that information related to r0 from F2 (or F1)
is not leaked at all. For example, as long as e0 and t0 (or
e1 and t1) are not known, the information of r0 is not
able to be known at all, even if provided with e1 and t1 (or
e0 and t0). Therefore, a zero-knowledge property is secured.

[0078] Here, in the case of m=n, an MQ function can obtain x1 and
x2 which becomes F(x1)=F(x2). The specific derivation
method is as follows.

[0079] When n=m, at the time when (Δ of GF) (2n) is provided
for the MQ function, an algorithm will exist which outputs x(s.t.
F(x)=F(x+Δ). This is because the following function holds.

F(x)=F(x+Δ)*F(Δ)+G(x,Δ)=0

[0080] The above described function becomes a simultaneous linear equation
which relates to x=(x1, . . . , xn) and xi=GF(2). Since
the number of the variables xi (i=1, 2, . . . , n) and the line
number m of the formula matches, a solution x can be derived from the
above described simultaneous linear equation.

[0081] Further, when n=cm (c is an integer of 2 or more), at the time when
(Δ1, . . . , Δc of GF) (2n) is provided for
the MQ function, an algorithm will exist which outputs x(s.t.
F(x)=F(x+Δ1)= . . . =F(x+Δc). This is because the
following functions hold.

F(x)=F(x+Δ1)F(Δ1)+G(x,Δ1)=0

F(x)=F(x+Δc)F(Δc)+G(x,Δc)=0

[0082] Each of the above described equations becomes a simultaneous linear
equation which relates to x=(x1, . . . , xn) and xi=GF(2).
When combining each of the above described equations, the line number of
the equation becomes a simultaneous linear equation of cm for the
variables xi (i=1, 2, . . . , n). Therefore, similar to the case of n=m,
a solution x can be derived from the above described simultaneous linear
equation.

[0083] In this way, a detection method of key leakage, a prevention method
of key leakage, and a suppression method of key leakage can be
implemented, by using a public key authentication scheme which can
generate a plurality of secret keys from one public key. Hereinafter, an
application example of a public key authentication scheme, which can
generate a plurality of secret keys from one public key, will be
described in detail.

2. THE FIRST EMBODIMENT OF THE PRESENT DISCLOSURE

[Overview]

[0084] First, an overview of a first embodiment of the present disclosure
will be described. The first embodiment of the present disclosure is
technology applicable to the case where a secret key is stored in a
device such as an IC card, and an authentication process is executed by
the device for personal verification.

[0085]FIG. 4 is an explanatory view illustrating an overview of an
authentication process between an authentication processing device 100a,
in which a secret key is stored, and a verification processing device
200a which executes a verification process. A secret key x, which is
generated by the above described key generation algorithm Gen, is stored
in the authentication processing device 100a prior to an authentication
process. Further, a public key F(x), which is generated by the above
described key generation algorithm Gen, is stored in the verification
processing device 200a prior to an authentication process. For example,
the authentication processing device 100a is an IC card, and the
verification processing device 200a is a server apparatus, an ATM
(Automated Teller machine) of a financial institution, or the like. Also,
an authentication protocol between the authentication processing device
100a and the verification processing device 200a is executed, at the time
when the authentication processing device 100a is held over a
reader/writer.

[0086]FIG. 5 is a flow chart which shows an authentication process
between the authentication processing device 100a, in which a secret key
is stored, and the verification processing device 200a which executes a
verification process.

[0087] A user who wants to authenticate that she is the person herself
generates a secret key x and a public key F(x) in advance by the above
described key generation algorithm Gen (step S11). The generation of this
secret key x and public key F(x) is performed by an information
processing apparatus capable of executing the key generation algorithm
Gen.

[0088] When the user generates a secret key x and a public key F(x), the
secret key x is registered in the authentication processing device 100a
while maintaining secrecy (step S12), and the public key F(x) is
registered in the verification processing device 200a (step S13). Then,
when the user specifies authentication execution to the authentication
processing device 100a (step S14), a prover algorithm P is executed by
the authentication processing device 100a, and an authentication process
between the authentication processing device 100a and the verification
processing device 200a is executed, by a verifier algorithm V being
executed in the verification processing device 200a (step S15).

[0089] If the secret key x is stored in a device such as an IC card, the
contents of the secret key x are not expected to be leaked to a third
party as long as this device is not lost. However, as described above, an
analysis method such as a side-channel attack has been proposed for a
device such as an IC card. Within this side-channel attack, there is a
power analysis attack. A power analysis attack is an attack method which
extracts, from the power consumption of a device in which a cryptographic
algorithm is implemented, a secret key stored in this device.

[0090] The power consumption of a device such as an IC card is known to
change depending on the input. Therefore, there are cases where the value
of a secret key can be analyzed by observing a change in the power
consumption which depends on the value of the secret key stored in the
device. Basically, since noise is mixed in the power consumption, the
influence of the noise is reduced and the secret key is extracted, by
statistically processing a plurality of waveforms in a power analysis
attack. Differential Power Analysis (DPA) has been proposed as one such
method (Paul Kocher, Joshua Jaffe, Benjamin Jun, "Differential Power
Analysis", CRYPTO'99).

[0091] Here, an example of a 1 bit DPA for a signature scheme using an MQ
function (MQ signature scheme) will be described. In an MA signature
scheme, an exclusive-OR operation of a random number r0 is performed
for the secret key x, and after this, the random number r0 is output
at random as an element in the signature. An ith bit xi of the
secret key x can be analyzed by using this operation. Specifically,
xi can be analyzed by a 1 bit DPA such as described as follows.

[0092] First, after a plurality of signatures are generated, the
signatures in which the random number r0 is output are gathered.
Next, the gathered signatures are divided into two groups, in accordance
with a value of the ith bit r0, of the random number r0.
Then, an average waveform is calculated for each group, and a
differential waveform of these two average waveforms is calculated. An
ith bit xi of the secret key x can be analyzed by the attitude
of the peaks of this differential waveform.

[0093] FIGS. 6A and 6B are explanatory views which show an example of a
differential waveform of an average waveform. FIG. 6A is an example of a
differential waveform of an average waveform which can be expected at the
time when the ith bit xi of the secret key x is 0, and FIG. 6B
is an example of a differential waveform of an average wavelength which
can be expected at the time when the ith bit xi of the secret
key x is 1. At the time when xi is 0, the value of the random number
r0 and the value of the exclusive-OR between the random number
r0 and the secret key x0 (r0+x0) match each other.
Therefore, the power consumption at the time of loading and at the time
of storing these values is similar, and as shown in FIG. 6A, the two
positive and negative peaks of the average waveform become the same. On
the other hand, at the time when xi is 1, the value of the random
number r0 and the value of the exclusive-OR between the random
number r0 and the secret key x0 (r0+x0) are
different. Therefore, the power consumption at the time of loading and at
the time of storing these values is significantly different, and as shown
in FIG. 6B, the two positive and negative peaks of the average waveform
become different. The contents of the secret key x may be extracted by a
power analysis attack by attempting an analysis for all the bits of this
secret key x.

[0094] While this is an example of a 1 bit DPA when performing an MQ
signature scheme, a similar process exists for an MQ authentication
scheme. Therefore, a 1 bit DPA of an MQ signature scheme can be easily
expanded to a 1 bit DPA of an MQ authentication scheme.

[0095] Accordingly, in the first embodiment of the present disclosure, the
value of a bit is not able to be estimated from the differential waveform
of an average waveform obtained by a power analysis attack. Specifically,
as described above, a plurality of secret keys corresponding to one
public key are generated, and when performing an authentication process,
the authentication processing device 100a selects one secret key at
random from among this plurality of secret keys. In this way, the
authentication processing device 100a can prevent a secret key from being
extracted by a power analysis attack, by selecting one secret key at
random from among a plurality of secret keys and executing an
authentication process.

[Operations]

[0096]FIG. 7 is a flow chart which shows an authentication process
between the authentication processing device 100a, in which a secret key
is stored, and the verification processing device 200a which executes a
verification process, according to the first embodiment of the present
disclosure. The flow chart shown in FIG. 7 shows an authentication
process in the case where a user who wants to authenticate that she is
the person herself generates a public key and two secret keys
corresponding to this public key.

[0097] The user who wants to authenticate that she is the person herself
generates secret keys x1, x2 and a public key F(x1) in
advance by the above described key generation algorithm Gen (step S101).
Here, the public key F(x1) satisfies F(x1)=F(x2). The
generation of these secret keys x1, x2 and public key
F(x1) is performed by an information processing apparatus capable of
executing the key generation algorithm Gen.

[0098] When the user generates secret keys x1, x2 and a public
key F(x1), the secret keys x1, x2 are registered in the
authentication processing device 100a while maintaining secrecy (step
S102), and the public key F(x1) is registered in the verification
processing device 200a (step S103). Then, when the user specifies
authentication execution to the authentication processing device 100a
(step S104), the authentication processing device 100a first selects (i
of {1,2}) at random (step S105). Then, an authentication process is
executed, by a prover algorithm P and a verifier algorithm V, using a
secret key xi corresponding to the i selected in the above described
step S105, between the authentication processing device 100a and the
verification processing device 200a (step S106).

[0099] In this way, when performing an authentication process, a 1 bit DPA
by a power analysis attack becomes difficult, due to the authentication
processing device 100a selecting one secret key at random from among the
two secret keys. This is because when the bit x11 of a secret key
x1 and the ith bit x2, of a secret key x2 are
different, statistical processing is not able to be accurately performed.
While the above described 1 bit DPA estimates the value of a bit in which
the differential waveform of an average waveform is calculated, since a
peak will not appear by calculating the differential waveform of an
average waveform, if the value of some bit is different for each process,
it will become extremely difficult to estimate the value of this bit.

[0100] On the other hand, since the authentication processing device 100a
only selects one secret key from among the two secret keys at the time
when performing authentication execution, it may not be necessary to
include unnecessary circuits for countermeasures against a power analysis
attack, and it may not be necessary to execute unnecessary processes.
Therefore, the authentication processing device 100a can implement
countermeasures against a power analysis attack with a low cost, and with
almost no reduction in speed or increase in power consumption.

3. THE SECOND EMBODIMENT OF THE PRESENT DISCLOSURE

[Overview]

[0101] Next, an overview of a second embodiment of the present disclosure
will be described. The second embodiment of the present disclosure is
technology applicable to the case where a user inputs the contents of a
secret key generated in advance to a device at the time when performing
authentication for personal verification.

[0102]FIG. 8 is an explanatory view which shows an overview of an
authentication process between an authentication processing device 100b
which executes an authentication process and a verification processing
device 200b which executes a verification process. A secret key x, which
is generated by the above described key generation algorithm Gen, is
input to the authentication processing device 100b by a user who wants to
receive personal verification. Further, a public key F(x), which is
generated by the above described key generation algorithm Gen, is stored
in the verification processing device 200b prior to an authentication
process by a prover algorithm P and a verifier algorithm V.

[0103] For example, the authentication processing device 100b is a front
end apparatus, and may be, other than an information processing apparatus
such as a personal computer, a smart phone or tablet, for example, an ATM
(Automated Teller machine) or the like of a financial institution. For
example, the verification processing device 200b is a back end apparatus,
and is a server apparatus or the like. Also, an authentication protocol
between the authentication processing device 100b and the verification
processing device 200b is executed, by the prover algorithm P and the
verifier algorithm V, at the time when the authentication processing
device 100b performs an input of a secret key from a user.

[0104] FIG. 9 is a flow chart which shows an authentication process, by
the prover algorithm P and the verifier algorithm V, between the
authentication processing device 100b which executes an authentication
process and the verification processing device 200b which executes a
verification process.

[0105] A user who wants to authenticate that she is the person herself
generates a secret key x and a public key F(x) in advance by the above
described key generation algorithm Gen (step S21). The generation of this
secret key x and public key F(x) is performed by an information
processing apparatus capable of executing the key generation algorithm
Gen.

[0106] When the user generates a secret key x and a public key F(x), the
public key is registered in the verification processing device 200b (step
S22). The secret key x is in a state in which the user can access it at
any time while maintaining secrecy. While it is desirable for the user to
memorize the contents of the secret key x if leakage of the secret key is
to be prevented, since the secret key x is not as easy to remember as a
password, it is assumed that it is written on paper or the like for a
time when it is forgotten. Also, the user inputs the secret key x to the
authentication processing device 100b, in order to execute an
authentication process between the authentication processing device 100b
and the verification processing device 200b (step S23). When the secret
key x is input to the authentication processing device 100b, an
authentication process is executed, by a prover algorithm P and a
verifier algorithm V, between the authentication processing device 100b
and the verification processing device 200b (step S24).

[0107] Compared with the condition in which the secret key is memorized,
in the case where the secret key is written down on paper or the like,
there is a high risk that the contents of this secret key will be leaked
to another person due to peaking or secret photography by the other
person. In this way, in the case where the secret key x is directly input
from the outside to the authentication processing device 100b, and an
authentication process is executed, by a prover algorithm P and a
verifier algorithm V, between the authentication processing device 100b
and the verification processing device 200b, if this secret key x is
leaked to another person, there is the possibility that this other person
will execute a regular authentication by using the secret key x. In this
case, the verification processing device 200b is not able to distinguish
whether the input of the secret key x is by a regular user or is by
another person.

[0108] Accordingly, in the second embodiment of the present disclosure,
such as described above, a plurality of secret keys corresponding to one
public key are generated, one of them is stored by the user as a secret
key to be normally used, and another is written down by the user, for
example, on paper or the like for temporary use for the time when the
contents of the secret key have been forgotten. Also, the verification
processing device 200b, at the time when performing an authentication
process, judges which of the secret keys is the secret key input to the
authentication processing device 100b, and determines whether or not it
is the temporary use secret key which is not the secret key normally
used, that is, the secret key written down on paper or the like by the
user. At the time when performing an authentication process, a temporary
use secret key being used is judged by the verification processing device
200b, and if the temporary use secret key is used, the user can be
reminded whether it is an intentional use of the temporary use secret key
by the user, or whether there has been a leakage of the temporary use
secret key, by notifying to the user that the temporary use secret key
has been used.

[Operations]

[0109] FIG. 10 is a flow chart which shows an authentication process
between the authentication processing device 100b, to which a secret key
is input, and a verification processing device 200b which executes a
verification process, according to the second embodiment of the present
disclosure. The flow chart shown in FIG. 10 shows an authentication
process in the case where a user who wants to authenticate that she is
the person herself generates a public key and two secret keys
corresponding to this public key.

[0110] The user who wants to authenticate that she is the person herself
generates secret keys x1, x2 and a public key F(x1) in
advance by the above described key generation algorithm Gen, applies a
hash function h to the secret keys x1, x2, and generates a hash
value z2=h(x2) (step S201). Here, the public key F(x1)
satisfies F(x1)=F(x2). The generation of these secret keys
x1, x2 and public key F(x1) is performed by an information
processing apparatus capable of executing the key generation algorithm
Gen. For example, the user strictly keeps the secret key x1, without
showing it to any another person, by memorizing the secret key or writing
down the secret key on paper or the like, as a normal use secret key, and
usually carries the secret key x2, which is written down on a paper
medium or the like, as a temporary use secret key.

[0111] The user generates the secret keys x1, x2 and the public
key F(x1) by executing the key generation algorithm, and when a hash
value z2 is additionally generated by applying a hash function to
the secret key x2, the public key F(x1) and the hash value
z2 are registered in the verification processing device 200b (step
S202). Then, the user inputs one secret key x from among the secret keys
x1, x2 to the authentication processing device 100b, in order
to execute an authentication process, by a prover algorithm P and a
verifier algorithm V, between the authentication processing device 100b
and the verification processing device 200b (step S203).

[0112] When the secret key is input from the user, the authentication
processing device 100b calculates a hash value z by applying the hash
function h to the input secret key, and transmits this hash value z to
the verification processing device 200b (step S204). The verification
processing device 200b compares whether or not the hash value z
transmitted from the authentication processing device 100b and the hash
value z2 registered from the user in advance match each other.

[0113] If the hash values z and z2 do not match, the verification
processing device 200b does not perform any particular process, and if
the hash values z and z2 do match, the verification processing
device 200b notifies to the user, by a method such as email or the like,
that the temporary use secret key x2 has been input to the
authentication processing device 100b (step S205).

[0114] Then, an authentication process is executed, by a prover algorithm
P and a verifier algorithm V, between the authentication processing
device 100b and the verification processing device 200b, using the secret
key x input in the above described step S203 (step S206). Then, if the
user receives a notification from the verification processing device
200b, leakage of the key can be detected by judging whether or not it is
a use of the temporary use secret key x2 which the user herself is
not able to remember (step S207).

[0115] As described above, in the present embodiment it is assumed that
the user usually carries the secret key x2, which is written down on
a paper medium or the like, as a temporary use secret key. Therefore,
this secret key x2 is information which has a high possibility of
being accessed by another person by some reason such as a loss of the
paper medium.

[0116] However, in this way, the user can be notified, by a notification
from the verification processing device 200b, whether the secret key
x2 used at the time of performing an authentication process was
input by the user herself or was input by another person, by registering
a hash value generated from the secret key x2 in the verification
processing device 200b along with the public key. The user who uses the
secret keys x1, x2 can detect whether or not there has been a
leakage of the temporary use secret key by the notification from the
verification processing device 200b, and in the case where there has been
a leakage, the user can prevent expansion of the damage by invalidating
the public key registered in the verification processing device 200b.

[0117] Note that while in the above described description the verification
processing device 200b does not perform any particular process if the
hash values z and z2 do not match each other, the present disclosure
is not limited to such an example. Since the hash values z and z2
not matching each other is used by the normal use secret key x1, the
verification processing device 200b may notify to the user, by some
method such as email or the like, that the normal use secret key x1
has been used.

4. THE THIRD EMBODIMENT OF THE PRESENT DISCLOSURE

[Overview]

[0118] Next, an overview of a third embodiment of the present disclosure
will be described. The third embodiment of the present disclosure is
technology applicable to the case where the rights of authentication are
shared between users by providing each different user with one of two or
more secret keys.

[0119] FIG. 11 is an explanatory view which shows the concept of an
authentication system which provides a secret key x to each different
user, by a key generator generating a shared secret key x. The key
generator generates a public key y=F(x) and a secret key x, and sends the
generated secret key to users 1 and 2. The users 1 and 2, to whom the
secret key x is sent from the key generator, execute authentication using
this secret key x. That is, a shared secret key x is shared by the users
1 and 2.

[0120] However, if such a same secret key is provided to a plurality of
users, in the case where it is revealed that the secret key has been
leaked, by the secret key being published on a web site on the internet
or the like, which user leaked the contents of the secret key will not be
able to be detected. Accordingly, in the third embodiment of the present
disclosure, a mechanism is disclosed capable of easily tracking which
user leaked the secret key, in the case where it is revealed that the
secret key has been leaked.

[0121] As described above, when an MQ function is used for the generation
of a secret key, a plurality of different secret keys corresponding to a
same public key can be generated. Therefore, in the case where it is
revealed that the secret key has been leaked, since which user leaked the
secret key can be easily tracked by sending different secret keys to each
of a plurality of users, it becomes a deterrent against the leakage of
the secret key.

[0122]FIG. 12 is an explanatory view which shows the concept of an
authentication system according to the third embodiment of the present
disclosure. Shown in FIG. 12 is the concept of an authentication system
which provides secret keys x1, x2 to each different user, by a
key generator generating different secret keys x1, x2.

[0123] The key generator generates a plurality of different secret keys
x1, x2 corresponding to a same public key y, by using the above
described key generation algorithm, and sends the secret key x1 to a
user 1 and the secret key x2 to a user 2. Further, the key generator
manages which secret key is sent to which user. Then, an authentication
process and a signature generation process are each executed with a
verifier, by the user 1 using the secret key x1 and the user 2 using
the secret key x2.

[0124] In this way, in the case where it is revealed that the secret key
has been leaked, which user leaked the secret key can be easily tracked
by managing which user has been sent which secret key, by generating a
plurality of different secret keys corresponding to a same public key,
and sending a different secret key to each user, and it becomes a
deterrent against the leakage of the secret key.

[0125] Note that while the above described example describes the case
where a plurality of different secret keys corresponding to a same public
key are generated, and different secret keys are sent to each user, the
third embodiment of the present disclosure is similarly applicable, when
an authentication process is executed by secret keys in a plurality of
servers, to the case where a plurality of different secret keys
corresponding to a same public key are generated, and the different
secret keys are sent to each server.

[0126] FIG. 13 is an explanatory view which shows the concept of an
authentication system according to the third embodiment of the present
disclosure. Shown in FIG. 13 is the concept of an authentication system
which provides secret keys x1, x2 to each different server, by
a key generator generating different secret keys x1, x2. In
this way, the key generator provides the secret keys x1, x2 to
each different server, and manages which secret key is sent to which
server. Also, if each server becomes a prover and a signer and an
authentication process and a signature generation process are each
executed with a verifier, from which server the secret key has been
leaked can be easily tracked in the case where it is revealed that the
secret key has been leaked.

5. MODIFIED EXAMPLES

[0127] While the above description shows the case where two secret keys
are generated for one public key by using an MQ function, c secret keys
can be generated for one public key by setting n values of an MQ function
such as described above, which is constituted by an n variable
multi-order polynomial in m lines, to c times that of m (c is an integer
of 2 or more).

[0128] Also, as a modified example of the above described first
embodiment, c secret keys generated for one public key are all included
in the authentication processing device 100a, and when performing an
authentication process, the leakage of a secret key by a power analysis
attack may be prevented by selecting one secret key at random from among
the c secret keys.

[0129] Further, as a modified example of the above described second
embodiment, separate roles may be provided for each of the three or more
types of secret keys. While the above described second embodiment
notifies a user that the temporary use secret key has been used, by email
or the like, from the verification processing device 2006 in the case
where a temporary use secret key is used, three secret keys may be
generated for one public key, for example, two secret keys from among
these may be temporary use secret keys, and different roles may be
provided for each of these temporary use secret keys.

[0130] Further, as a modified example of the above described third
embodiment, rights may be shared between three or more people, by
providing c secret keys generated for one public key to each different
user, and in the case where it is revealed that a secret key has been
leaked, it can be easy to track which user leaked the secret key.

[0131] As described above, when performing an authentication process by a
secret key generated using an MQ function, a one-time authentication
process is set as a modified example of the above described first
embodiment, and it is known that the probability of a false success in
the one-time authentication process can be reduced by repeating the
authentication process a plurality of times (a plurality of rounds) by
the above described n-pass public key authentication scheme. Also, in the
case where a plurality of secret keys can be generated for one public
key, an authentication process is also possible by using different secret
keys for each round. Therefore, as a modified example of the above
described first embodiment, the authentication processing device 100a may
select a secret key at random for each round, when performing a one-time
authentication process.

[0132]FIG. 14 is a flow chart which shows an authentication process
between the authentication processing device 100a, in which a secret key
is stored, and a verification processing device 200a which executes a
verification process, according to a modified example of the first
embodiment of the present disclosure. The flow chart shown in FIG. 14
shows an authentication process in the case where a user who wants to
authenticate that she is the person herself generates a public key and
two secret keys corresponding to this public key.

[0133] The user who wants to authenticate that she is the person herself
generates secret keys x1, x2 and a public key F(x1) in
advance by the above described key generation algorithm Gen (step S111).
Here, the public key F(x1) satisfies F(x1)=F(x2). The
generation of these secret keys x1, x2 and public key F(x1) is
performed by an information processing apparatus capable of executing the
key generation algorithm Gen.

[0134] When the user generates secret keys x1, x2 and a public
key F(x1), the secret keys x1, x2 are registered in the
authentication processing device 100a while maintaining secrecy (step
S112), and the public key F(x1) is registered in the verification
processing device 200a (step S113). Then, when the user specifies
authentication execution to the authentication processing device 100a
(step S114), the authentication processing device 100a first selects
((i1, i2, . . . , iN) of {1,2}) at random (step S115). Here, N represents
the round number in the one-time authentication process. Therefore, the
above described step S115 is a process in which the authentication
processing device 100a selects a secret key to be used at random for each
round from among x1, x2.

[0135] Then, an authentication process is performed, between the
authentication processing device 100a and the verification processing
device 200a, using a secret key xij corresponding to the i selected
in the above described step S115 (step S116). Note that j is an integer
from 1 up to N.

[0136] In this way, an effect can be expected in which a 1 bit DPA by a
power analysis attack becomes difficult, due to the authentication
processing device 100a selecting a secret key to be used at random for
each round in the one-time authentication process.

[0137] While the above described embodiment shows an example in the case
of performing generation of a secret key using an MQ function, it is
needless to say that it can be similarly applicable to the case of a
digital signature using an MQ function. Further, while the above
described embodiment uses an MQ function when generating a plurality of
secret keys for one public key, in this way, it is needless to say that
if there is an algorithm which can generate a plurality of secret keys
for one public key, the present disclosure will not be limited to that of
using an MQ function.

[0138] Here, an example of an algorithm for an authentication process
executed in each of the above described embodiments will be described.
Here, an algorithm of a 3-pass scheme will be described. An algorithm of
a 3-pass scheme is constituted by a key generation algorithm Gen, a
prover algorithm P, and a verifier algorithm V such as described
hereinafter.

[0140] Hereinafter, a process in which a prover algorithm P is executed
and a process in which a verifier algorithm V is executed in an
interactive protocol will be described with reference to FIG. 15. In this
interactive protocol, the prover shows to the verifier that "she herself
knows s which satisfies y=F(s)" without leaking any information of the
secret key s to the verifier. On the other hand, the verifier verifies
whether or not the prover knows s which satisfies y=F(s). Note that the
public key pk is disclosed to the verifier. Further, the secret key s is
managed in secret by the prover. Hereinafter, a description will be
carried forward in accordance with the flow chart shown in FIG. 15.

Process #1:

[0141] As shown in FIG. 15, first the prover algorithm P generates vectors
(r0, t0 of Kn) and (e0 of km) at random. Next,
the prover algorithm P calculates r1s-r0. This
calculation corresponds to an operation to mask the secret key s by the
vector r0. In addition, the prover algorithm P calculates
t1r0-t0. Next, the prover algorithm P calculates
e1F(r0)-e0.

[0143] The verifier algorithm V which received the message
(c0,c1,c2) selects which verification message is to be
used, from among the three verification patterns. For example, the
verifier algorithm V selects one numerical value from among the three
numerical values {0,1,2} which represent the type of verification
pattern, and sets the selected numerical value to a request Ch. This
request Ch is sent to the prover algorithm P.

Process #3:

[0144] The prover algorithm P which received the request Ch generates a
response Rsp to send to the verifier algorithm V in accordance with the
received request Ch. In the case where Ch=0, the prover algorithm P
generates a response Rsp=(r0,t1,e1). In the case where
Ch=1, the prover algorithm P generates a response
Rsp=(r1,t0,e0). In the case where Ch=2, the prover
algorithm P generates a response Rsp=(r1,t1,e1). The
response Rsp generated in process #3 is sent to the verifier algorithm V.

Process #4:

[0145] The verifier algorithm V which received the response Rsp executes
the following verification process by using the received response Rsp.

[0146] In the case where Ch=0, the verifier algorithm V verifies whether
or not the equal sign of c1=H(r0-t1,F(r0)-e1)
holds. In addition, the verifier algorithm V verifies whether or not the
equal sign of c2=H(t1,e1) holds. The verifier algorithm V
outputs a value of 1 which indicates a successful authentication in the
case where these verifications are all successful, and outputs a value of
0 which indicates an authentication failure in the case where there is a
failure in the verifications.

[0147] In the case where Ch=1, the verifier algorithm V verifies whether
or not the equal sign of c0=H(r1,G(t0,r1)+e0)
holds. In addition, the verifier algorithm V verifies whether or not the
equal sign of c1=H(t0,e0) holds. The verifier algorithm V
outputs a value of 1 which indicates a successful authentication in the
case where these verifications are all successful, and outputs a value of
0 which indicates an authentication failure in the case where there is a
failure in the verifications.

[0148] In the case where Ch=2, the verifier algorithm V verifies whether
or not the equal sign of
c0=H(r1,y-F(r1)-G(t1,r1)-e1) holds. In
addition, the verifier algorithm V verifies whether or not the equal sign
of c2=H(t1,e1) holds. The verifier algorithm V outputs a
value of 1 which indicates a successful authentication in the case where
these verifications are all successful, and outputs a value of 0 which
indicates an authentication failure in the case where there is a failure
in the verifications.

[0149] Heretofore, a configuration example of an efficient algorithm
according to a 3-pass scheme has been described. Of course, the algorithm
when performing an authentication process in the present disclosure is
not limited to such an example, and it is needless to say that another
algorithm can be used in a similar authentication process, in the case
where a public key and a plurality of secret keys corresponding to this
public key are generated from multivariable polynomials in m lines.

6: HARDWARE CONFIGURATION

[0150] Each algorithm described above can be performed by using, for
example, the hardware configuration of the information processing
apparatus shown in FIG. 16. That is, processing of each algorithm can be
realized by controlling the hardware shown in FIG. 16 using a computer
program. Additionally, the mode of this hardware is arbitrary, and may be
a personal computer, a mobile information terminal such as a mobile
phone, a PHS or a PDA, a game machine, a contact or contactless IC chip,
a contact or contactless IC card, or various types of information
appliances. Moreover, the PHS is an abbreviation for Personal Handy-phone
System. Also, the PDA is an abbreviation for Personal Digital Assistant.

[0151] As shown in FIG. 16, this hardware mainly includes a CPU 902, a ROM
904, a RAM 906, a host bus 908, and a bridge 910. Furthermore, this
hardware includes an external bus 912, an interface 914, an input unit
916, an output unit 918, a storage unit 920, a drive 922, a connection
port 924, and a communication unit 926. Moreover, the CPU is an
abbreviation for Central Processing Unit. Also, the ROM is an
abbreviation for Read Only Memory. Furthermore, the RAM is an
abbreviation for Random Access Memory.

[0152] The CPU 902 functions as an arithmetic processing unit or a control
unit, for example, and controls entire operation or a part of the
operation of each structural element based on various programs recorded
on the ROM 904, the RAM 906, the storage unit 920, or a removable
recording medium 928. The ROM 904 is a device for storing, for example, a
program to be loaded on the CPU 902 or data or the like used in an
arithmetic operation. The RAM 906 temporarily or perpetually stores, for
example, a program to be loaded on the CPU 902 or various parameters or
the like arbitrarily changed in execution of the program.

[0153] These structural elements are connected to each other by, for
example, the host bus 908 capable of performing high-speed data
transmission. For its part, the host bus 908 is connected through the
bridge 910 to the external bus 912 whose data transmission speed is
relatively low, for example. Furthermore, the input unit 916 is, for
example, a mouse, a keyboard, a touch panel, a button, a switch, or a
lever. Also, the input unit 916 may be a remote control that can transmit
a control signal by using an infrared ray or other radio waves.

[0154] The output unit 918 is, for example, a display device such as a
CRT, an LCD, a PDP or an ELD, an audio output device such as a speaker or
headphones, a printer, a mobile phone, or a facsimile, that can visually
or auditorily notify a user of acquired information. Moreover, the CRT is
an abbreviation for Cathode Ray Tube. The LCD is an abbreviation for
Liquid Crystal Display. The PDP is an abbreviation for Plasma Display
Panel. Also, the ELD is an abbreviation for Electro-Luminescence Display.

[0155] The storage unit 920 is a device for storing various data. The
storage unit 920 is, for example, a magnetic storage device such as a
hard disk drive (HDD), a semiconductor storage device, an optical storage
device, or a magneto-optical storage device. The HDD is an abbreviation
for Hard Disk Drive.

[0156] The drive 922 is a device that reads information recorded on the
removable recording medium 928 such as a magnetic disk, an optical disk,
a magneto-optical disk, or a semiconductor memory, or writes information
in the removable recording medium 928. The removable recording medium 928
is, for example, a DVD medium, a Blu-ray medium, an HD-DVD medium,
various types of semiconductor storage media, or the like. Of course, the
removable recording medium 928 may be, for example, an electronic device
or an IC card on which a non-contact IC chip is mounted. The IC is an
abbreviation for Integrated Circuit.

[0157] The connection port 924 is a port such as an USB port, an IEEE1394
port, a SCSI, an RS-232C port, or a port for connecting an externally
connected device 930 such as an optical audio terminal. The externally
connected device 930 is, for example, a printer, a mobile music player, a
digital camera, a digital video camera, or an IC recorder. Moreover, the
USB is an abbreviation for Universal Serial Bus. Also, the SCSI is an
abbreviation for Small Computer System Interface.

[0158] The communication unit 926 is a communication device to be
connected to a network 932, and is, for example, a communication card for
a wired or wireless LAN, Bluetooth (registered trademark), or WUSB, an
optical communication router, an ADSL router, or a device for contact or
non-contact communication. The network 932 connected to the communication
unit 926 is configured from a wire-connected or wirelessly connected
network, and is the Internet, a home-use LAN, infrared communication,
visible light communication, broadcasting, or satellite communication,
for example. Moreover, the LAN is an abbreviation for Local Area Network.
Also, the WUSB is an abbreviation for Wireless USB. Furthermore, the ADSL
is an abbreviation for Asymmetric Digital Subscriber Line.

7. CONCLUSION

[0159] According to the present disclosure as described above, a detection
method of key leakage, a prevention method of key leakage, and a
suppression method of key leakage are implemented, by using a public key
authentication scheme in which a plurality of secret keys can be
generated for a same public key, such as a key generation algorithm using
an MQ function.

[0160] In a first embodiment of the present disclosure, a plurality of
secret keys generated for a same public key are recorded in an
authentication processing device, as power analysis attack
countermeasures for an authentication processing device such as an IC
card in which a secret key is recorded. When performing an authentication
process, the authentication processing device selects one secret key at
random from among the plurality of secret keys. Extraction of a secret
key by a power analysis attack can be made difficult by having the
authentication processing device select one secret key at random from
among the plurality of secret keys when performing an authentication
process.

[0161] In a second embodiment of the present disclosure, in the case where
a secret key is input to an authentication processing device, if a
temporary use secret key, which is not a normal use secret key, is input
to the authentication processing device, a user is notified that the
temporary use secret key has been used, via the verification processing
device. The user can judge whether the temporary use secret key has been
intentionally used or whether it has been leaked, by being notified that
the temporary use secret key has been used.

[0162] In a third embodiment of the present disclosure, a plurality of
secret keys corresponding to one public key are each sent to different
users. In the case where one secret key is leaked, since who leaked the
secret key can be easily tracked by sending each of a plurality of secret
keys corresponding to one public key to different users, it becomes a
deterrent against leakage of the secret key.

[0163] Note that while each of the above described embodiments have been
described by showing examples of secret keys generated by using an MQ
function, as a plurality of secret keys which can be generated for one
public key, the present disclosure is not limited to such examples.
According to a public key authentication scheme and a digital signature
scheme which can generate a plurality of secret keys for one public key,
it is needless to say that these schemes are similarly applicable to each
of the above described embodiments. Further, while in each of the above
described embodiments an authentication processing device which executes
an authentication process and a verification processing device which
implements a verification process may each be included in separate
apparatuses, they may also be included in the same apparatus.

[0164] Lastly, the technical contents according to the embodiment of the
present technology will be briefly described. The technical contents
stated here can be applied to various information processing apparatuses,
such as a personal computer, a mobile phone, a portable game machine, a
portable information terminal, an information appliance, a car navigation
system, and the like. Further, the function of the information processing
apparatus described below can be realized by using a single information
processing apparatus or using a plurality of information processing
apparatuses. Furthermore, a data storage device and an arithmetic
processing device which are used for performing a process by the
information processing apparatus described below may be mounted on the
information processing apparatus, or may be mounted on a device connected
via a network.

[0165] Note that the above described key generation algorithm Gen, the
prover algorithm P, the verifier algorithm V, the signature generation
algorithm Sig, and the signature verification algorithm Ver are examples
of a key selection section and a process execution section according to
an embodiment of the present disclosure.

[0166] It should be understood by those skilled in the art that various
modifications, combinations, sub-combinations and alterations may occur
depending on design requirements and other factors insofar as they are
within the scope of the appended claims or the equivalents thereof.

[0167] Additionally, the present technology may also be configured as
below.

(1) An information processing apparatus including:

[0168] a key selection section configured to select one out of a plurality
of different secret keys, in a public key authentication scheme or a
digital signature scheme in which each of the plurality of secret keys
exists for one public key registered in a verifier; and

[0169] a process execution section configured to execute, by using the
secret key selected by the key selection section, an authentication
process with the verifier by the public key authentication scheme or a
digital signature generation process to the verifier by the digital
signature scheme.

(2) The information processing apparatus according to (1),

[0170] wherein the key selection section is configured to select one out
of the plurality of secret keys at random when performing the
authentication process with the verifier or the digital signature
generation process.

(3) The information processing apparatus according to (2),

[0171] wherein the key selection section is configured to select one out
of the plurality of secret keys at random for each authentication process
or digital signature generation process, in a case where the process
execution section completes a one-time authentication by repeating the
authentication process with the verifier, or in a case where the process
execution section completes a generation of a one-time digital signature
by repeating the digital signature generation process.

(4) The information processing apparatus according to (1),

[0172] wherein the process execution section is configured to register, in
the verifier, a first hash value obtained by applying a hash function to
a first secret key within the plurality of secret keys.

(5) The information processing apparatus according to (4),

[0173] wherein the process execution section is configured to apply the
hash function to a secret key used when performing the authentication
process with the verifier by the public key authentication scheme or the
digital signature generation process to the verifier by the digital
signature scheme, and transmit, to the verifier, a second hash value to
be compared with the first hash value.

(6) The information processing apparatus according to (5), further
including:

[0174] a comparison function section configured to compare the first hash
value and the second hash value when the verifier performs a verification
process using the public key authentication scheme or the digital
signature scheme, and execute a prescribed notification process in
accordance with a result of the comparison.

(7) The information processing apparatus according to (1),

[0175] wherein the plurality of secret keys are registered in respective
different apparatuses, and

[0177] wherein the public key authentication scheme or the digital
signature scheme is a public key authentication scheme which sets (s of
Kn) to a secret key, and sets a multi-order polynomial
fi(x1, . . . , xn) (i=1 to m) on a ring K and
yi=fi(s) to a public key.

(9) An information processing method including:

[0178] selecting one out of a plurality of different secret keys, in a
public key authentication scheme or a digital signature scheme in which
each of the plurality of secret keys exists for one public key registered
in a verifier; and

[0179] executing, by using the secret key selected by the key selection
step, an authentication process with the verifier by the public key
authentication scheme or a digital signature generation process to the
verifier by the digital signature scheme.

(10) A non-transitory computer-readable medium including a computer
program, which when executed by a computer, causes the computer to:

[0180] select one out of a plurality of different secret keys, in a public
key authentication scheme or a digital signature scheme in which each of
the plurality of secret keys exists for one public key registered in a
verifier; and

[0181] execute, by using the secret key selected by the key selection
step, an authentication process with the verifier by the public key
authentication scheme or a digital signature generation process to the
verifier by the digital signature scheme.

(11) An information processing apparatus including:

[0182] a comparison processing section configured to acquire, in a public
key authentication scheme or an digital signature scheme in which a
plurality of different secret keys exist for one public key, a first hash
value obtained by a prover applying a hash function to a first secret key
within the plurality of secret keys, and a second hash value obtained by
the prover applying a hash function to a secret key used when performing
an authentication process with a verifier or a digital signature
generation process to the verifier by the digital signature scheme;
compare the first hash value and the second hash value when performing a
verification process using the public key authentication scheme or the
digital signature scheme; and execute a prescribed notification process
to the prover in accordance with a result of the comparison.

[0183] The present disclosure contains subject matter related to that
disclosed in Japanese Priority Patent Application JP 2012-198343 filed in
the Japan Patent Office on Sep. 10, 2012, the entire content of which is
hereby incorporated by reference.